The problem is not mail servers, they tend to be fairly conventional in their setup, certainly for smtp/25. It is all the other stuff.
I started this because as a SOHO/small business I want to automate everything I can. Partly because I am away from the office fairly often, secondly if I can automate things they don't get overlooked until someone or something (eg your DANE check) complains.
From the your tone, Victor, you sound as though you may already know of a better solution.
JohnA
On 2017-04-26 1:01 PM, Viktor Dukhovni wrote:
On Apr 26, 2017, at 12:29 PM, john john@klam.ca wrote:
Is an automatic TLSA update system worth doing?
Portability across multiple deployment architectures may be difficult, so a tool for the public is difficult. It is certainly worth doing for your own private deployment.
Linux servers, need SRV records in order to determine the port and host for each TLSA record.
For SMTP the port is always 25, and the hostnames come from the MX records, and you already need the hostnames for the certificate.
For XMPP, indeed the hostnames and ports may come from the appropriate SRV records. Once again, you'll need the hostnames to obtain the requisite certificates, with our without TLSA records in the picture.
Of course the hostnames could be in a separate configuration file, and be used to manage all of the underlying configurations:
- Generate the SRV and MX records
- Configure certbot
- Automate TLSA record creation
all from a single primary source managed by the administrator.